Frequently Asked Questions
Why should we conduct a penetration test?
Computers and the associated IT infrastructure have become an indispensable part of every business today. However, this leads to a growing amount of critical data being stored in IT systems, as well as a dependence on these systems to function reliably. Consequently, attacks on corporate IT systems in the form of industrial espionage, disruption of system availability, ransomware attacks, and other methods to significantly harm a company are on the rise. A penetration test provides insights into the security status of your systems and the likelihood of a successful attack on your structures. It also offers recommendations on how to better protect yourself from potential compromises in the future. For a detailed explanation of why penetration testing is beneficial, refer to the Definition section.
What is the workflow of a penetration test?
Before every penetration test, a personal preliminary meeting takes place as a fundamental step. During this preliminary meeting, the possibilities of a penetration test concerning the customer’s systems are presented. A penetration test only makes sense if it is conducted in a customised and customer-oriented manner. Once the details are clarified, the penetration test is carried out within an agreed-upon period. Immediately following the test, a final presentation takes place, providing insight into the discovered vulnerabilities along with corresponding solution proposals. Additionally, a detailed report is handed over. More detailed information about the process of a penetration test can be found under workflow.
How is RedTeam Pentesting different from other companies that offer penetration tests?
RedTeam Pentesting specialises exclusively in penetration testing, unlike many other companies in the IT security industry that offer penetration testing as one of many services in their portfolio. At RedTeam Pentesting, the purpose of the penetration test is not to sell additional services but to provide an independent security assessment.
Security specialists at RedTeam Pentesting work closely in teams to achieve practical results. The results are thoroughly documented with the aim of conveying the necessary knowledge about vulnerabilities in an understandable way. This allows our customers to fully understand and efficiently address any vulnerabilities found. Furthermore, all employees of RedTeam Pentesting are permanent staff. Even during peak periods, no subcontractors or freelancers are used to ensure both the consistently high quality of the tests and confidentiality.
At the end of the penetration test, we provide the customer not only with a detailed report describing the vulnerabilities, risks, and proposed solutions but also present the results in a personal meeting. This allows the customer not only to view the systems from an attacker’s perspective during live demonstrations of the vulnerabilities but also to discuss the vulnerabilities with the security specialists.
Why does RedTeam Pentesting not offer any additional services or products besides penetration testing?
RedTeam Pentesting exclusively offers penetration tests to ensure the independence and objectivity of the test results, as no additional products or services are sold after the penetration test. The specialisation also ensures that RedTeam Pentesting’s employees have extensive experience and specialised knowledge in penetration testing.
How much information does RedTeam Pentesting need from us?
The type and extent of necessary information vary depending on the requested type of penetration test. Different terminologies are used for this purpose, the definitions of which are unfortunately not standardised and thus may be understood differently. Often mentioned are closed box and open box tests (formerly black box and white box). RedTeam Pentesting’s understanding of these terms can be found in this FAQ.
RedTeam Pentesting typically recommends providing information that is relevant to the planned penetration test. Pentests conducted as closed box tests potentially suffer from the issue that unintended third parties could be inadvertently involved without their consent. Additionally, providing technical details before the test allows for a quicker and more efficient discovery of vulnerabilities relevant to a company’s security. It should always be assumed that real, serious attackers may have already obtained or can obtain the necessary information with sufficient lead time. The specific information required for conducting an efficient penetration test is individually coordinated in a preliminary meeting.
What are closed box and open box tests?
A closed box test (formerly black box test) is typically defined as a test where the penetration testers do not receive more information than attackers without internal knowledge would have. The idea is to find out how far potential attackers can get without any internal information.
In contrast, an open box test (formerly white box test) means that knowledge about the systems to be tested is provided in full (such as network diagrams or source code of web applications). Additionally, it may involve providing permissions, such as a user account similar to those owned by employees in the corporate network, or access credentials for a web application similar to those owned by regular customers.
When only partial information is disclosed, it is often referred to as a grey box test. These different forms of penetration tests only differ in the evidence provided during the test that attackers can independently obtain certain information. An explanation of the information required by RedTeam Pentesting can be found in this FAQ.
What types of systems does RedTeam Pentesting test?
RedTeam Pentesting tests all types of systems in principle. RedTeam Pentesting does not limit itself exclusively to network tests or penetration tests of web applications. Even newly developed hardware or other products are examined. The section Types of Tests provides more detailed information on the types of penetration tests performed by RedTeam Pentesting. Additionally, many vulnerability classes are independent of specific types of software or hardware. This makes our extensive knowledge and expertise applicable even to systems previously unknown to us.
Why should not only the network perimeter be tested, but also the internal network?
In contrast to a penetration test that only examines externally accessible systems, a test focusing solely on systems reachable within the company’s internal network assumes that access to the internal network has already been obtained. In many cases, this does not require exploiting technical vulnerabilities or gaining physical access to the network, as real attackers may also conduct social engineering attacks against employees to achieve this goal. Additionally, internal networks often have insufficient precautions in place because they are presumed to be accessible only to trusted individuals. It can have catastrophic consequences if mere penetration of the internal network bypasses all security measures.
Therefore, in most cases, it is advisable to conduct penetration tests on both externally and internally reachable systems within the IT infrastructure. Often, a test that directly considers both perspectives is the most suitable approach.
Does RedTeam Pentesting do social engineering?
Social engineering is a specific type of attack that aims to exploit human weaknesses as an extension of attacks on a purely technical level. This approach can be surprisingly effective because the human factor often represents the weakest link in a company’s security chain.
However, conducting social engineering attacks as part of penetration tests is controversial. While the chances of success for such attacks are significant, the learning impact is usually limited to the immediate environment of the affected employees. Employees who are not affected typically cannot empathise with being targeted by these attacks themselves. From their perspective, social engineering attacks may appear too simple to be successful. Moreover, the execution of social engineering attacks can potentially damage the client’s work environment, as directly affected employees may feel betrayed by this approach. For these reasons, RedTeam Pentesting does not conduct social engineering attacks. However, it is generally assumed in the execution of penetration tests that social engineering attacks could be successful, allowing for testing of a company’s internal network under this assumption.
Can any harm be done to our productive systems during the test?
Unlike real attackers, RedTeam Pentesting handles customer systems with great care to avoid potential production outages. RedTeam Pentesting always strives to leave systems unharmed. Attacks that pose a risk of system failure are only carried out after consultation with the customer.
Of course, it cannot be completely ruled out that a production system may experience an outage due to an attack. For such cases, emergency contacts are arranged in advance to enable quick response if needed.
Are denial-of-service attacks also tested?
Denial-of-Service (DoS) attacks are only examined with prior agreement from the respective client. Additionally, only specific types of Denial-of-Service attacks are considered during penetration tests. In particular, those that allow attackers to take down the system with minimal resource cost. This may be due to a misconfiguration or software flaw. These types of attacks are conducted after agreement to verify their feasibility.
However, attacks that completely saturate the client’s available network capacity are not tested. These attacks are always possible for attackers with the appropriate resources and could potentially overload third-party systems. Therefore, Distributed Denial-of-Service (DDoS) attacks are also not part of a penetration test.
What time investment do you estimate for a penetration test?
The time required for a penetration test varies from case to case due to the highly diverse IT structures and individual requirements of each test. Generally, the effort ranges from a few days to several weeks. Estimating an appropriate time frame is part of the preliminary meeting, among other factors.
On the client’s side, personnel resources are usually only minimally engaged. What is primarily needed is a contact person for addressing any questions that may arise during the penetration test.
What happens to confidential data RedTeam Pentesting gathers during the penetration test?
RedTeam Pentesting is committed to absolute confidentiality regarding customer’s sensitive data. A Non-Disclosure Agreement (NDA) is included as part of every contract, stipulating that RedTeam Pentesting treats customer information confidentially. Additionally, the data used for creating an offer is subject to the same confidentiality requirements applied to all customer data at RedTeam Pentesting. At the conclusion of a penetration test, all accumulated data or data mediums are either securely destroyed or returned to the customer, including printed manuals or tested devices.
Are the results written down in a report?
Each client receives a comprehensive report upon completion of the penetration test. A typical report includes a non-technical summary of all results for management, providing them with a concise and precise overview of the security posture of the tested system. This is followed up by a more extensive technical explanation for administrators, developers, and other technically responsible individuals. The technical section includes a detailed description of each identified vulnerability, how it was discovered and exploited, along with a risk analysis and proposed solutions for mitigation.
Can we get a list of RedTeam Pentesting's references?
RedTeam Pentesting’s clients include national and international companies from various industries. Some of the sectors represented among RedTeam Pentesting’s clients include:
- Trade & industry
- Banking & insurance companies
- Public administration & authorities
- IT service providers & data centres
As our clients place great emphasis on confidentiality, RedTeam Pentesting does not publish a list of references. However, you can gain an initial impression by reviewing the published testimonials, in which a selection of clients share their experiences with RedTeam Pentesting.
Are there legal requirements for penetration tests?
While there is typically no explicit requirement from legislators for companies to conduct penetration tests, it may be implicitly required to implement security measures such as penetration testing to comply with different legal provisions and industry standards.
For example, data protection regulations like the General Data Protection Regulation (GDPR) in the European Union or industry-specific requirements such as the Payment Card Industry Data Security Standards (PCI DSS) may include mandates for regular security assessments and penetration tests.
The need for penetration testing can also arise from other legal obligations, such as liability or duty of care. Companies processing sensitive data or operating critical infrastructures often seek to conduct penetration tests to identify and address potential security vulnerabilities before they can be exploited by attackers.
Overall, it is important for companies to be aware of the legal requirements and industry standards that apply to them and to ensure they implement appropriate security measures, which may include penetration testing.
In what countries does RedTeam Pentesting offer penetration tests?
RedTeam Pentesting’s clients include numerous national and international companies from various sectors. Penetration tests are conducted in the project languages English or German. Depending on the specific requirements, this can be done worldwide either on-site at the client’s location or over the Internet.